{"id":"MAL-2026-6480","summary":"Malicious code in gx-npm-lib (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e)\nPackage published at version 99.99.99 under a generic name (`gx-npm-lib`) — the canonical dependency-confusion shape used to overshadow internal packages in CI version resolution. The `postinstall` lifecycle script runs `node beacon.js`, which collects installer metadata (package name, `os.hostname()`, `os.userInfo()` username, `process.cwd()`, the names of `process.env` variables, and Node version) and exfiltrates it via two channels to the hardcoded attacker-controlled OAST domain `d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me`: (1) a DNS lookup encoding `pkg.host.user` as subdomains, and (2) a base64-encoded HTTPS GET to `https://d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me/\u003cpkg\u003e?d=\u003cbase64\u003e`. The package self-describes as a 'security-research placeholder' for a dependency-confusion PoC, but that self-label does not constitute installer consent — `npm install` in any environment where this package resolves (CI for an internal `gx-npm-lib`, or a developer mistyping) leaks host/user/cwd/environment inventory to the attacker's OAST collector. Multi-channel (DNS + HTTPS+base64) exfiltration to a hardcoded interactsh-style domain on a default install is a textbook active supply-chain attack.\n","modified":"2026-06-25T23:16:24.817879206Z","published":"2026-06-25T22:30:08Z","database_specific":{"malicious-packages-origins":[{"versions":["99.99.99"],"sha256":"e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e","modified_time":"2026-06-25T22:30:08Z","import_time":"2026-06-25T23:00:34.6160742Z","source":"amazon-inspector","id":"IN-MAL-2026-007560"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/gx-npm-lib/v/99.99.99"}],"affected":[{"package":{"name":"gx-npm-lib","ecosystem":"npm","purl":"pkg:npm/gx-npm-lib"},"versions":["99.99.99"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-pkF9XgdUnVdjNYbsn2ffbnywa+bABrrlHzqlECQFG/xcTDJhKTotDc+7nDApaa8xBBhWAeFyWQ48Mq+ZU29WFQ==","sha1":"f52f2ff07b0692fa4ad23c7182a3a3df03ff14b6"},"filename":"gx-npm-lib-99.99.99.tgz"}],"evidence_files":[{"sha256":"8642a1b9117942eed77327a315389d97f652317c03f2506a9ee28793621af7b5","path":"beacon.js","tlsh":"2841879f99e8a12822f721f446af402526b3d2631358ddd0745ca3158f75db803d6cfe"},{"sha256":"f43dd7e027aca56b2f5dd3547f6f38df2e417061bdba6530ee0d848234f266fa","path":"package.json","tlsh":"92f0ac48f4146e7665e655e2183970c237314c4b9b10a949b69f80086b1dee703fb1aa"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gx-npm-lib/MAL-2026-6480.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}